Full description

Virus:	TR/IRCBot.LZ.4
Date discovered:	26/09/2005
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	83.436 Bytes
MD5 checksum:	f110d9ac3ed4e96d3d25db7a5d93d99d
VDF version:	6.32.0.44

General Method of propagation:
   • Local network

Aliases:
   • Symantec: Backdoor.Sdbot
   • Kaspersky: Backdoor.Win32.Agobot.afp
   • TrendMicro: WORM_SDBOT.CHG
   • F-Secure: W32/Sdbot.MBM
   • VirusBuster: Worm.SdBot.BJL
   • Bitdefender: Backdoor.RBot.CBS

Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification
   • Third party control

Files It copies itself to the following location:
   • %SYSDIR%\winsvc32.exe

It deletes the initially executed copy of itself.

The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\oo.reg
   • c:\a.bat

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Services"="winsvc32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Windows Services"="winsvc32.exe"

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   • "AllowUnqualifiedQuery"=dword:00000000
   • "PrioritizeRecordData"=dword:00000001
   • "TCP1320Opts"=dword:00000003
   • "KeepAliveTime"=dword:00023280
   • "BcastQueryTimeout"=dword:000002ee
   • "BcastNameQueryCount"=dword:00000001
   • "CacheTimeout"=dword:0000ea60
   • "Size/Small/Medium/Large"=dword:00000003
   • "LargeBufferSize"=dword:00001000
   • "SynAckProtect"=dword:00000002
   • "PerformRouterDiscovery"=dword:00000000
   • "EnablePMTUBHDetect"=dword:00000000
   • "FastSendDatagramThreshold "=dword:00000400
   • "StandardAddressLength "=dword:00000018
   • "DefaultReceiveWindow "=dword:00004000
   • "DefaultSendWindow"=dword:00004000
   • "BufferMultiplier"=dword:00000200
   • "PriorityBoost"=dword:00000002
   • "IrpStackSize"=dword:00000004
   • "IgnorePushBitOnReceives"=dword:00000000
   • "DisableAddressSharing"=dword:00000000
   • "AllowUserRawAccess"=dword:00000000
   • "DisableRawSecurity"=dword:00000000
   • "DynamicBacklogGrowthDelta"=dword:00000032
   • "FastCopyReceiveThreshold"=dword:00000400
   • "LargeBufferListDepth"=dword:0000000a
   • "MaxActiveTransmitFileCount"=dword:00000002
   • "MaxFastTransmit"=dword:00000040
   • "OverheadChargeGranularity"=dword:00000001
   • "SmallBufferListDepth"=dword:00000020
   • "SmallerBufferSize"=dword:00000080
   • "TransmitWorker"=dword:00000020
   • "DNSQueryTimeouts" =hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00
   • "DefaultRegistrationTTL"=dword:00000014
   • "DisableReplaceAddressesInConflicts"=dword:00000000
   • "DisableReverseAddressRegistrations"=dword:00000001
   • "UpdateSecurityLevel "=dword:00000000
   • "DisjointNameSpace"=dword:00000001
   • "QueryIpMatching"=dword:00000000
   • "NoNameReleaseOnDemand"=dword:00000001
   • "EnableDeadGWDetect"=dword:00000000
   • "EnableFastRouteLookup"=dword:00000001
   • "MaxFreeTcbs"=dword:000007d0
   • "MaxHashTableSize"=dword:00000800
   • "SackOpts"=dword:00000001
   • "Tcp1323Opts"=dword:00000003
   • "TcpMaxDupAcks"=dword:00000001
   • "TcpRecvSegmentSize"=dword:00000585
   • "TcpSendSegmentSize"=dword:00000585
   • "TcpWindowSize"=dword:0007d200
   • "DefaultTTL"=dword:00000030
   • "TcpMaxHalfOpen"=dword:0000004b
   • "TcpMaxHalfOpenRetried"=dword:00000050
   • "TcpTimedWaitDelay"=dword:00000000
   • "MaxNormLookupMemory"=dword:00030d40
   • "FFPControlFlags"=dword:00000001
   • "FFPFastForwardingCacheSize"=dword:00030d40
   • "MaxForwardBufferMemory"=dword:00019df7
   • "MaxFreeTWTcbs"=dword:000007d0
   • "GlobalMaxTcpWindowSize"=dword:0007d200
   • "EnablePMTUDiscovery"=dword:00000001
   • "ForwardBufferMemory"=dword:00019df7

The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
   Old value:
   • "TransportBindName"=%user defined settings%
   New value:
   • "TransportBindName"=""

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000004

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server]
   Old value:
   • "Enabled"=%user defined settings%
   New value:
   • "Enabled"=hex:00

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • "EnableDCOM"="%user defined settings%
     "EnableRemoteConnect"="%user defined settings%
   New value:
   • "EnableDCOM"="N"
     "EnableRemoteConnect"="N"


– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   Old value:
   • "AutoShareWks"=%user defined settings%
     "AutoShareServer"=%user defined settings%
   New value:
   • "AutoShareWks"=dword:00000000
     "AutoShareServer"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   Old value:
   • "NameServer"=""%user defined settings%
     "ForwardBroadcasts"=%user defined settings%
     "IPEnableRouter"=%user defined settings%
     "Domain"=%user defined settings%
     "SearchList"=%user defined settings%
     "UseDomainNameDevolution"=%user defined settings%
     "EnableICMPRedirect"=%user defined settings%
     "DeadGWDetectDefault"=%user defined settings%
     "DontAddDefaultGatewayDefault"=%user defined settings%
     "EnableSecurityFilters"=%user defined settings%
   New value:
   • "NameServer"=""
     "ForwardBroadcasts"=dword:00000000
     "IPEnableRouter"=dword:00000000
     "Domain"=""
     "SearchList"=""
     "UseDomainNameDevolution"=dword:00000001
     "EnableICMPRedirect"=dword:00000000
     "DeadGWDetectDefault"=dword:00000001
     "DontAddDefaultGatewayDefault"=dword:00000000
     "EnableSecurityFilters"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Old value:
   • "MaxConnectionsPer1_0Server"=%user defined settings%
     "MaxConnectionsPerServer"=%user defined settings%
   New value:
   • "MaxConnectionsPer1_0Server"=dword:00000050
     "MaxConnectionsPerServer"=dword:00000050

Network Infection It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • administrator; administrador; administrateur; administrat; admins;
      admin; staff; computer; owner; student; teacher; wwwadmin; guest;
      default; database; oracle; linux; admin; ADMIN; Admin; admin123;
      Administrador; Administrateur; administrator; ADMINISTRATOR;
      Administrator; guest; Guest; default; DEFAULT; Default; LOCAL

– The following list of passwords:
   • password; PASSWORD; Password; system; SYSTEM; GUEST; ADMIN; PASSWORD;
      SHARE; WRITE; FILES; ACCESS; BACKUP; SYSTEM; SERVER; LOCAL; passwd;
      database; abc123; xxxxx; xxxxxx; xxxxxxx; xxxxxxxx; xxxxxxxxx; 00000;
      000000

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 152.23.204.55
Port: 4891
Channel: #update
Nickname: USA-%five-digit random character string%
Password: w32z

– This malware has the ability to collect and send information such as:
    • Capture screen
    • Capture shot from webcam
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Information about the network
    • Information about running processes
    • Size of memory
    • Username

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Perform port redirection
    • Start keylog
    • Terminate malware
    • Terminate process
    • Updates itself
    • Upload file

Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • Counter-Strike (Retail); The Gladiators; Gunman Chronicles; Half-Life;
      Industry Giant 2; Legends of Might and Magic; Soldiers Of Anarchy;
      Unreal Tournament 2003; Unreal Tournament 2004; IGI 2: Covert Strike;
      Freedom Force; Battlefield 1942; Battlefield 1942 (Road To Rome);
      Battlefield 1942 (Secret Weapons of WWII); Battlefield Vietnam; Black
      and White; Command and Conquer: Generals (Zero Hour); James Bond 007:
      Nightfire; Command and Conquer: Generals; Global Operations; Medal of
      Honor: Allied Assault; Medal of Honor: Allied Assault: Breakthrough;
      Medal of Honor: Allied Assault: Spearhead; Need For Speed Hot Pursuit
      2; Need For Speed: Underground; Shogun: Total War: Warlord Edition;
      FIFA 2002; FIFA 2003; NHL 2002; NHL 2003; Nascar Racing 2002; Nascar
      Racing 2003; Rainbow Six III RavenShield; Command and Conquer:
      Tiberian Sun; Command and Conquer: Red Alert; Command and Conquer: Red
      Alert 2; NOX; Chrome; Hidden & Dangerous 2; Soldier of Fortune II -
      Double Helix; Neverwinter Nights; Neverwinter Nights (Shadows of
      Undrentide); Neverwinter Nights (Hordes of the Underdark)

– The password from the following program:
   • winlogon

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • paypal
   • PAYPAL
   • paypal.com
   • PAYPAL.COM

– It captures:
    • Keystrokes
    • Login information

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PE Pack

Description inserted by Razvan Olteanu on Tuesday, September 27, 2005
Description updated by Razvan Olteanu on Friday, September 30, 2005

Back . . . .